What is a good tool to regulate employee Internet access?

[hyde+]

I am looking for a software (or hardware) that we can use in the office to monitor and regulations employee Internet usage.

We currently have Zywall USG20 but it's very limited in reporting department, it doesn't list more than 20 top websites visited per interface (for the whole network not per OP address).

If there is any hardware we need to buy to put in between our router and firewall, we can use that , or can sing like DDWRT do this?

[sc302 Veteran]

If you want support and a known name, barracuda, bluecoat, or websense

The is smoothwall, monowall, pfsense, and ipcop, with web filtering. Far cheaper going one of these routes.

[majortom1981]

Pfsense is really good. Untangle might be another choice to look into. I use both at work.

[Blaze_Zewi]

sc302 is spot on.

 

As a supervisor overseeing a handful of employee for a medium size company.

We don't regulate our employee internet access.

 

They can access the internet on their lunch hour for all I care. Just don't use it during their work hour. (Unless its work related)

 

I always tell them they are here to do a job. And access to the internet is a privilege and not a right.

 

Saves money on software. This policy works pretty well for our Company. 

[hyde+]

Blaze_Zewi,

That's the same approach we have in the office, but so far it's been abused, so we also want to determine who has more time by checking their web habits (who claim they are swamped).

 

We can get an idea by looking at ZyWall logs, seeing who Rx/Tx the most, but nowadays more and more people stream radio which we allow, so that throws our estimates off, then I try to use website hits, but without source/destination data, it's difficult to tell. Last reason is we want to ensure people don't visit sites they are not supposed to (we have no filtering in place at all). I already put a few filters to test, but of course they can simply bypass by using https.

 

Thanks sc302, are those all required to reach the optimum performance or is one enough?

 

and MajorTom1981, do you run Untangle on a dedicated server? I see it requires installation from bootable CD, I thought it was a live-cd type of install with USB for data storage, does this mean I have to supply one of my workstations (or servers) with dual Ethernet and use Untangle on it to route traffic through?

[T3X4S]

The VC group that owns Omnitracs, also owns websense... thats all I have to add to this discussion

[sagum]

Have you tried looking into squid-cache as a transparent proxy?

[+John Teacake MVC]

To be fair a web filter does much more than regulate employees internet these. They block internet nastys, Drive bys, Malvertising etc.

 

Having used Bloxx and Websense and PfSense. Even OpenDNS or Norton DNS can do it if you wanted to get a quick and easy solution.

 

https://dns.norton.com/faq.html

https://www.opendns.com/enterprise-security/solutions/web-filtering/

[Dick Montage]

They can access the internet on their lunch hour for all I care. Just don't use it during their work hour.

 

Sounds to me like you DO regulate it then!?

[Torolol]

... but of course they can simply bypass by using https.

is the computer are in your control, or the employee can simply browse internet using their own devices?

If all the computers are under your control, you can still monitor https traffics (MitM) by installing your company crafted certificates (CA) into the browser,

and intercept https traffics that way, I remember BudMan can show you how.

The above are not applicable if your company goes BYOD style, because the employees will be alerted by wrong certificates when using their own devices.

[+InsaneNutter MVC]

What End Point Security / Antivirus do you currently use?

 

Chances are it might have a web filtering feature that might do what you want.

 

For example in Sophos Endpoint Protection you can block websites by category, or manually block a domain / ip address.

 

[smooth_criminal1990]

Have you tried looking into squid-cache as a transparent proxy?

Good call, we use Squid, with squidGuard for filtering and MySAR for reporting - it allows breakdown of most popular sites by hits, data transferred, and the same stats for individual computers and users (though we don't use the users part as the proxy is internal and has no auth).

[+BudMan MVC]

Would really look to professional companies to do this.. Websense, Bluecoat - both of which support filtering in the cloud.. So you don't have to install anything at site.  Managed all by a website, etc.  Just a config on your firewall to prevent users from bypassing it.

 

Cost is per user, etc.  If you had to ask how to do it - this is going to be the best route to be honest..  Setting up and managing web content filtering/proxy is not really something the IT tinker is going to be up for - are you the IT staff for your location, do you have an IT dept?

[hyde+]

The VC group that owns Omnitracs, also owns websense... thats all I have to add to this discussion

 

Is there some conspiracy we should be aware of?

 

Have you tried looking into squid-cache as a transparent proxy?

 

Never heard of that before, will check. Thanks.

 

To be fair a web filter does much more than regulate employees internet these. They block internet nastys, Drive bys, Malvertising etc.

 

Having used Bloxx and Websense and PfSense. Even OpenDNS or Norton DNS can do it if you wanted to get a quick and easy solution.

 

https://dns.norton.com/faq.html

https://www.opendns.com/enterprise-security/solutions/web-filtering/

 

I love the idea of Norton ConnectSafe, I think it would be really nice for home networks too,  https://connectsafe.norton.com/configureRouter.html except I am not sure if using their DNS is going to bottleneck our custom software, and also it just allows to use their DNS but does not have any reporting capability, we really don't want to over-block their usage because company actually relies on internet to do it's job. Every user is online throughout the day which is why it makes it easier to surf random website without being noticed.

Perhaps the small business edition might provide more info/options. This kind of DNS based system would work well, until users change DNS of individual PC's they are working on. Am I correct?

 

is the computer are in your control, or the employee can simply browse internet using their own devices?

If all the computers are under your control, you can still monitor https traffics (MitM) by installing your company crafted certificates (CA) into the browser,

and intercept https traffics that way, I remember BudMan can show you how.

The above are not applicable if your company goes BYOD style, because the employees will be alerted by wrong certificates when using their own devices.

 

Computers are under our control, however they have administrator rights because the software we use does not function properly (it constantly updates) and when it's in Standard User the software fails to work. I looked everywhere for a sandbox type of system for Windows 7 and 8, where everything would be blocked, but that software would have administrator privileges, it did not work well.

 

What End Point Security / Antivirus do you currently use?

 

Chances are it might have a web filtering feature that might do what you want.

 

For example in Sophos Endpoint Protection you can block websites by category, or manually block a domain / ip address.

 

 

We use Norton Network Security on each workstation, I looked into a router based security but it was recommended by Neowin community that I still maintain individual workstation security since we get a lot of emails and those might bypass router based security (if it can pass our email server security). So I did not implement any router based security (which I would love to, instead of trying to update licenses on each workstation every year)

 

Would really look to professional companies to do this.. Websense, Bluecoat - both of which support filtering in the cloud.. So you don't have to install anything at site.  Managed all by a website, etc.  Just a config on your firewall to prevent users from bypassing it.

 

Cost is per user, etc.  If you had to ask how to do it - this is going to be the best route to be honest..  Setting up and managing web content filtering/proxy is not really something the IT tinker is going to be up for - are you the IT staff for your location, do you have an IT dept?

 

We don't have IT dept in our NY branch, I've been managing IT related issues as part of my managerial work since I've been there, our HQ in West Coast runs their own filtering software (forgot what it's called) but they pay an outside IT dept to do it for them, if I remember correctly, they manage everything through sonicwall. We don't really need something too complicated as long as we can access logs and see what is going on and then decide what to do. If we realize that users don't spend too much time on the net, we may not even need a complicated system. It's just frustrating we cannot access logs and website hits and bandwidth for those sites per workstation using a sophisticated firewall.

 

Cloud based system where we can forward DNS of individual workstations and then receive reports from that DNS with PC name might be the best option. I don't know if setting up via router will enable reporting of individual workstation surfing habits.

[sc302 Veteran]

sonicwalls have a plug in that you can purchase for web filtering.  Web filtering is an add on service to most "sophisticated" firewalls or next gen firewalls.  Firewalls are to protect your inside network from being attacked/bombarded from the outside, their main purpose was not to block/monitor the inside going out.

 

If you have Active Directory or some other LDAP authentication server for your clients and you want to use opendns, you cannot modify the client dns server pointers.  I would use opendns with active directory integration, pointing your firewall to the opendns servers (provided you have purchased the service from them).  http://info.opendns.com/rs/opendns/images/opendns-ad-integration-guide.pdf

 

https://www.opendns.com/enterprise-security/threat-enforcement/packages/

[T3X4S]

No conspiracy hyde - I was just saying our parent company owns websense, thats all.  (we dont use it either) lol

[remixedcat]

snort

[goretsky Supervisor]

Hello,

 

Do you have anti-malware software installed on the computers in question?  If so, there may be an option in it to limit network access, in which case, all you need to do is enable it.

 

Regards,

 

Aryeh Goretsky

 

 

 

[+KibosJ Subscriber²]

?We are using Smoothwall here and it works pretty well at blocking anything you don't want and you can run reports on pretty much anything. Support staff have been really helpful and friendly on the few occasions I have spoken to them. They have become a little more expensive over the last year or so though.

[StrikedOut]

I have used Untangle and really like it, quick and easy to set up with plenty of features. You can create plenty of reports to see who is browsing what and with the AD plug in you can see by user name. The pricing isn't too bad either with the purchase of 2 of their modules giving you access to all the modules. I also extended the trial from 14 to 28 days which they were happy to do which allowed me to demonstrate to my board its capabilities, may even be enough to see who is doing what on your network.

[Torolol]

soon your employee need to learn how to use VPS/VPN to do their 'privacy' browsing.

[sc302 Veteran]

if the admin allows that type of connection.

[hyde+]

?We are using Smoothwall here and it works pretty well at blocking anything you don't want and you can run reports on pretty much anything. Support staff have been really helpful and friendly on the few occasions I have spoken to them. They have become a little more expensive over the last year or so though.

 

It looks good, which one of their products do you use? WAM or BM?

 

I have used Untangle and really like it, quick and easy to set up with plenty of features. You can create plenty of reports to see who is browsing what and with the AD plug in you can see by user name. The pricing isn't too bad either with the purchase of 2 of their modules giving you access to all the modules. I also extended the trial from 14 to 28 days which they were happy to do which allowed me to demonstrate to my board its capabilities, may even be enough to see who is doing what on your network.

 

Where does Untangle reside? Can it work as ad-hoc by installing it on each workstation and with a server collecting results or does it have to run on a server in between network and firewall?

I was hoping to actually buy a dedicated hardware (or a tool that can run on each workstation in stealth) instead of running these on another workstation.

 

soon your employee need to learn how to use VPS/VPN to do their 'privacy' browsing.

 

Doesn't network analysis or logging reveal which workstations are using VPN by identifying mass amount of data through a single VPN provider?

[kronckew]

i'm sure your employees love being micromanaged. if they are doing their jobs satisfactorily, and not breaking any laws, regulations, or being offensive, leave them alone! if they are not, fire them and get ones that do. how much time & money does your IT staff waste on this net nannying and thought policing?

 

your goal should be for everyone to make money, and enjoy doing it, not dictating what color underwear they should wear or how to spend their idle time. just keep them busy without overloading them, watching their every move and being the KGB. if they have finished their days assignments, and you have not given them more to do,why do your care what they do till the bell rings?... as long as it is not illegal, immoral or fattening. if you can think of more to do, ask (with a simple reminder, not a belligerent demand) them to start on it rather than griping about looking at ebay. after all, if you are a good boss, maybe they are looking to buy you a present & you've just blown it.

 

take this to heart and you might find their productivity goes up. and remember your boss is watching you.

[Torolol]

if the admin allows that type of connection.

well...

Computers are under our control, however they have administrator rights because ...